MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a
SHA3-384 hash: 251896dc33cf6c1fd9b32ae5e9fa81a244f0897f21311fce80e741ae6ffaca1cc14456a35e48947adf9928cd29087a4e
SHA1 hash: ece9c8f061220dc2390f1f1e83a3ae825e551a4e
MD5 hash: 571526093d8239f3f7ecf11992beaa1d
humanhash: wolfram-east-hamper-jig
File name:GalaxySkinChanger.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'164'760 bytes
First seen:2022-02-19 00:14:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep 98304:x7LwNwTgDTT51PXUajybXsui9xTzIFVWqG2g9YeE:BwNigP91XUaObXsuiXIFspqeE
TLSH T1AF1633F37453713DC066AF302B25711AB36A84F4A193F22B6C1D118D2EF58BBEA6951C
Reporter adm1n_usa32
Tags:exe Redline RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Galaxy Swapper.zip
Verdict:
Malicious activity
Analysis date:
2022-02-19 00:11:28 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/82f2b64a-00a4-494b-b04c-811357dd8682

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242613/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6210368a875593a3cce8919b/reports/e66b7fc5-04f6-46ea-b18b-23eb9151a68d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b498fab3-008f-476c-8edb-6f437b35769f
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942498
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574976 Sample: GalaxySkinChanger.exe Startdate: 19/02/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 3 other signatures 2->36 7 GalaxySkinChanger.exe 1 2->7         started        process3 signatures4 38 Writes to foreign memory regions 7->38 40 Allocates memory in foreign processes 7->40 42 Tries to detect virtualization through RDTSC time measurements 7->42 44 Injects a PE file into a foreign processes 7->44 10 AppLaunch.exe 15 7 7->10         started        15 conhost.exe 7->15         started        process5 dnsIp6 22 91.243.59.37, 49770, 61742 MATTEOGB Russian Federation 10->22 24 cdn.discordapp.com 162.159.130.233, 443, 49811 CLOUDFLARENETUS United States 10->24 20 C:\Users\user\AppData\Local\...\Starter.exe, PE32 10->20 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->46 48 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->48 50 Tries to harvest and steal browser information (history, passwords, etc) 10->50 52 Tries to steal Crypto Currency Wallets 10->52 17 Starter.exe 2 10->17         started        file7 signatures8 process9 signatures10 26 Multi AV Scanner detection for dropped file 17->26 28 Machine Learning detection for dropped file 17->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-19 00:15:18 UTC
File Type:
PE (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wnmdyxysg4gziffsskscjm4usujyc4oenkvxretr2vrqurqzrva._file
Verdict:
malicious
Unpacked files
SH256 hash:
faffd4a5c0e274ed9f91f6b30380cc7dbe92d8dcc88adb6ed9a29f8f7c7a047c
MD5 hash:
3b66aa270b15438dca21bd24a135ecbe
SHA1 hash:
d0620f243956cdaf705a8ed7ffe4db4f84f64485
Link:
https://www.unpac.me/results/03ce8228-8862-4173-a6ff-aa275dd254a3/
SH256 hash:
b97728659e22d2df33b42a063f330fded837d26a5b46ca20c7b265d09ffb5308
MD5 hash:
665c348d99719a51e4b33e2eac0b557e
SHA1 hash:
9afaedca60f157b734dac712cb59296f33882718
Link:
https://www.unpac.me/results/03ce8228-8862-4173-a6ff-aa275dd254a3/
SH256 hash:
fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a
MD5 hash:
571526093d8239f3f7ecf11992beaa1d
SHA1 hash:
ece9c8f061220dc2390f1f1e83a3ae825e551a4e
Link:
https://www.unpac.me/results/03ce8228-8862-4173-a6ff-aa275dd254a3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd9ac1e2f891/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe fd9ac1e2f891b86ca0a5949521259ca4a89c0b8e23555bc4938eab185230cc6a

(this sample)

anyrun
any.run
https://app.any.run/tasks/82f2b64a-00a4-494b-b04c-811357dd8682
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242613/

Comments